COPY 


MULTICS  SECURITY  EVALUATION: 

PASSWORD  AND  FILE  ENCRYPTION  TECHNIQUES 


^ Deputy  for  Command  and  Management  Systems 

A 


June  1977 


r 


ui  OCT  17  1977 

J[n5C£!Ginn 

qx  c 


Approved  for  Public  Release; 
Distribution  Unlimited. 


Prepared  for 


DEPUTY  FOR  COMMAND  AND  MANAGEMENT  SYSTEMS 
ELECTRONIC  SYSTEMS  DIVISION 
HANSCOM  AIR  FORCE  BASE,  MA  01731 


LEGAL  NOTICE 


When  U.  S.  Government  drawings,  specifications  or  other  data  are  used  for  any 
purpose  other  than  a definitely  related  government  procurement  operation,  the 
government  thereby  incurs  no  responsibility  nor  any  obligation  whatsoever;  and 
the  fact  that  the  government  may  have  formulated,  furnished,  or  in  any  way  sup- 
plied the  said  drawings,  specifications,  or  other  data  is  not  to  be  regarded  by 
implication  or  otherwise  as  in  any  manner  licensing  the  holder  or  any  other  person 
or  conveying  any  rights  or  permission  to  manufacture,  use,  or  sell  any  patented 
invention  that  may  in  any  way  be  related  thereto. 


OTHER  NOTICES 


Do  not  return  this  copy.  Retain  or  destroy. 


This  technical  report  has  been  reviewed  and  is  approved  for  publication. 


ROGEIR?  ^ HELL 

'System  Security  Program  Manager 


BRIAN  W.  WOODRUFF,  Captain,  USAF 
Techniques  Engineering  Division 


FOR  THE  COMMANDER 


FRANK  J.  EMM#  Colonel,  USAF 
Director , Computer  Systems  Engineering 
Deputy  for  Command  & Management  Systems 


UNCLASSIFIED 


SECURITY  CLASSIFICATION  OF  THIS  FACE  fWhMi  Dots  Eni.r.d) 


REPORT  DOCUMENTATION  PAGE 


ESD-TR-74-193^.  Vo 


READ  INSTRUCTIONS 
BEFORE  COMPLETING  FORM 


S.  RECIPIENT'S  CATALOG  NUMBER 


IL9UU! 


LE  (and  Subtit!.}  — 


^lULTICS  SECURITY  ^VALUATION: 

PASSWORD  AN  1 FILE  ENCRYPTION  TECHNIQUES 


7.  AUTHORf.} 


Peter  J. Downey/  1 Lt,  USAF 


»•  CONTRACT  OR  GRANT  NUMSERf.} 

In-House 


9.  PERFORMING  ORGANIZATION  NAME  ANO  ADDRESS 

Deputy  for  Command  and  Management  Systems  (MCI) 
Electronic  Systems  Division  (AFSC)  </ 

Hanscom  AFB,  Mass.  01731 


II.  CONTROLLING  OFFICE  NAME  ANO  ADDRESS  / ,/ 

Hq.  Electronic  Systems  Division  ( //> 

Hanscom  AFB,  Mass.  01731  N — 


\ 


MONITORING  AGENCY  NAME  A AOORE %S(ll  dlltan 


I from  Controlling  Olll eo)  IS.  SECURITY  CLASS,  (ol  thlo  i 

Unclassified 


IS.  DISTRIBUTION  STATEMENT  (ol  thlo  Roporl) 

Approved  for  public  release;  distribution  unlimited 


'7.  DISTRIBUTION  STATEMENT  (ol  tho  obotroet  onto tog  In  Mloek  20,  II  dlllOTOnt  trom  Honor!) 


is.  supplementary  notes  This  is  Volume  III  of  a 4 Volume  report:  Multics  Security 
Evaluation.  The  other  volumes  are  entitled:  Vol.  I:  Results  and  Recommendations 

Vol. -II:  Vulneraoility  Analysis 
Vol.  IV:  Exemplary  Performance  Unde: 
mandine  Workload 


It.  KEY  WOROS  (Continue  on  rararaa  aid*  II  nacaaaary  and  Identity  by  black  mam  bar) 

Access  Control  Password  Encryption 

Computer  Security  Secure  Computer  Systems 

Multics  Security  Penetration 

Privacy  Security  Testing 

Protection 


ABSTRACT  (Continue  on  rewerae  aida  II  naeaaaary  and  Idantlly  by  block  number) 

asswords  are  stored  in  enciphered  form  in  the  Multics  system.  There  is  no 
clear  text  listing  of  the  password  file.  In  1972,  as  part  of  a security 
analysis  of  Multics,  an  ESD  team  successfuly  inverted  the  enciphering 
algorithm  in  use  on  Multics.  This  report  documents  the  team's  efforts.  As 
a result  of  the  ESD  analysis,  an  improved  encryption  algorithm  is  now  in  use  on 
Multics.. 


JITi’TM' 


UNCLASSIFIED 


SECURITY  classification  of  THIS  page 


PPEFACE 


This  is  Volume  3 of  a 4 volume  report  prepared  for  the 
Air  Force  Data  Services  Center  (AFDSC)  by  the  Directorate  of 
Computer  Systems  Engineering,  Deputy  for  Command  and 
Management  Systems,  Electronic  Systems  Division  (ESD/MCI). 
The  entire  report  represents  an  evaluation  and 
* recommendation  of  the  Honeywell  Multics  system  carried  out 

under  Air  Force  Project  6917  from  March  1972  to  June  1973. 
Work  described  in  this  volume  was  performed  by  personnel  at 
ESD/MCI  with  support  from  the  MITPE  Corporation.  Computer 
facilities  at  the  Rome  Air  Development  Center  and  the 
Massachusetts  Institute  of  Technology  were  used  in  the 
evaluation  effort.  This  volume  was  primarily  authored  by 
lLt  Peter  L.  Downey.  Additional  inputs  to  the  text  made  by 
James  P.  Anderson  and  Captain  Brian  W.  Woodruff.  The 
programs  in  Appendices  B and  C were  written  by  Capt  Paul 
Karger.  The  algorithm  for  "better"  was  developed  by  Lt  Col 
Roger  Schell,  who  also  wrote  the  program  in  Appendix  D. 


TABLE  OF  CONTENTS 


Section 

I.  INTRODUCTION 

1.1  Basis  for  the  Study 

1.2  Why  Scrambled  Passwords? 

1.3  The  Multics  Password  Scrambler 

II.  TRAILING  BLANKS  ATTACK 

III.  GENERAL  SOLUTION 

IV.  BUGS 

V.  CONCLUSION 
REFERENCES 
APPENDIX 


Paqe 


4 

4 

5 

6 

7 

11 

14 

15 

17 

18 


A Password  Scramble  Listing 

B Unscrambling  Listing  for  Short  Passwords  21 

C General  Unscrambling  Listing  for  all 

Passwords  23 

D Improved  Password  Scrambling  Listing 

and  Documentation  29 


LIST  OF  FIGURES 


9 


Figure  Page 

1 Flowchart  for  unscr  9 

2 Cost  in  CPU  time  to  either  successfully 
invert  a password  or  to  report  a failure  10 

3 Flowchart  for  better  13 

4 Flowchart  for  encipher  31 


3 


SECTION  I 
INTRODUCTION 


1.1  Basis  for  the  Study 

The  Multics  system  <ORG71>  began  at  the  Massachusetts 
Institute  of  Technology  (MIT)  in  1964  with  the  objective  of 
producing  a computer  utility  embracing  the  whole  complex  of 
hardware,  software  and  users  to  serve  as  a model  for  other 
similar  systems.  The  impetus  for  Multics  came  from  the 
successful  Compatible  Time  Sharing  System  (CTSS)  that  had 
been  developed  at  MIT  previously  on  the  IBM  709  and  7094. 

The  Multics  system,  because  of  its  ambitious  objectives 
of  serving  as  a prototype  utility  was  concerned  at  the 
outset  with  protection  issues  clearly  in  mind.  The  specific 
mechanisms  designed  to  permit  sharing  of  various  objects 
(i.e.  programs,  data  etc.)  safely  are  discussed  in  <GRA68>, 
<SCH72a> , and  <SCH72b>. 

In  response  to  a requirement  for  "advanced"  interactive 
and  multilevel  processing  imposed  by  the  USAF  and  other  DOD 
customers  in  the  Pentagon,  the  Air  Force  Data  Services 
Center  ( AFDSC)  identified  the-  Honeywell  Multics  system  as  a 
computer  system  that  could  meet  the  requirements.  Because 
of  the  multi-(security) level  processing  ancitipated,  AFDSC 
commissioned  the  Electronic  Systems  Division  (ESD)  of  the 
Air  Force  Systems  Command  to  conduct  a security  analysis  of 
Multics  to  ascertain  whether  the  system  could  indeed  provide 
multilevel  secure  processing  in  a "benign"  (restricted 
access)  environment  where  all  users  have  at  least  a Secret 
clearance  and  some  users  have  a Top  Secret  clearance.  As  a 
result  of  ESD's  security  analysis,  Honeywell  has  implemented 
security  enhancements  to  the  Multics  operating  system  to 
support  AFDSC ' s requirements.  <WKI73> 

As  part  of  the  security  analysis,  penetration  attacks 
were  organized  and  tested  on  the  Multics  systems  at  MIT  and 
at  the  USAF's  Rome  Air  Development  Center.  Volume  II  of 
this  report  <KAR74>  describes  the  results  of  the  penetration 
attacks.  Volume  III  reports  in  detail  on  one  accomplishment 
of  the  penetration  exercise,  namely,  the  successful 
inverting  of  the  "non-invertible"  password  enciphering 
algorithm  which  was  used  in  Multics  at  the  time  of  the 
penetration  in  1972  and  1973.  The  relative  ease  with  which 
the  Multics  password  <jnciphering  algorithm  was  broken  is 
instructive  in  showing  the  care  with  which  a password  or 
file  enciphering  algorithm  must  be  chosen.  It  is  an  example 
of  how  easily  one  can  be  misled  regarding  the 
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"non-invertibil ity"  of  an  algorithm.  The  method  of  analysis 
exploits  some  simple  methods  of  number  theory,  and  points 
out  the  general  approach  taken  in  such  an  analysis. 

1.2  Why  Scrambled  Passwords? 

The  login  password  file  of  any  system  presents  an 
attractive  and  tempting  target  for  would-be  penetrators  of 
time  sharing  systems.  Such  files  have  been  the  primary 
target  of  numerous  penetration  exercises,  because  with  the 
information  contained  in  them  a penetrator  can  masquerade 
indefinitely  and  effectively  for  long  term  exploitation  of  a 
system. 

For  the  reasons  outlined  in  <KAR74>,  obtaining  the 
password  file  internally  from  the  system  is  of  minimal  value 
to  a penetrator  who  is  also  an  authorized  user  of  the 
system.  However,  for  a penetrator  who  may  not  always  be  an 
authorized  user  of  the  system,  obtaining  a user's  password 
is  of  great  value.  In  addition,  passwords  might  appear  in 
memory  dumps.  Therefore,  password  files  need  to  be 
protected  . 

The  special  vulnerability  of  a list  of  passwords  and 
owners  to  attack  by  penetrators  was  recognized  by  R.M. 
Needham  <WIL72>  who  proposed  the  idea  of  storing  the 
ciphertext  of  an  encrypted  password  with  the  owner's 
identification.  He  proposed  that  the  cipher  transformation 
be  'one-way',  that  is,  for  this  particular  use,  there  is  no 
need  to  have  a reversible  transformation  (the  usual  case  for 
cryptographic  applications).  The  reasoning  behind  Needham's 
proposal  was  that  even  if  the  file  of  encrypted  passwords 
and  their  user  identifiers  was  compromised,  it  would  be 
impossible  to  ascertain  the  user's  input  password  and  thus 
masquerading  would  be  prevented. 

Evans  et.  al.  <EVA74>  elaborates  somewhat  on  Needham’s 
proposal  and  discusses,  in  a heuristic  way,  families  of 
password  scrambling  functions.  The  interesting  part  of  that 
paper  is  the  observation  that  some  of  the  primitive 
scrambling  functions  must  be  non-linear  in  order  to  defeat 
analytic  attacks  on  the  algorithms.  In  general,  Evans  has 
covered  the  major  considerations  involved  in  using  one-way 
ciphers  for  password  protection. 

The  scheme  used  to  scramble  passwords  on  Multics  was 
devised  prior  to  and  independently  of  the  considerations 
outlined  by  Evans  (or  in  the  related  papers  by  Purdy  <PUR74> 
or  Johnson  <JOH74>). 
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1.3  The  Multics  Password  Scrambler 

In  the  Multics  system,  user  passwords  are  protected  by 
storing  the  encrypted  version  of  the  password  in  a segment 
known  as  the  Person  Name  Table  ( PNT) . This  is  the  only  form 
in  which  a password  list  is  maintained  in  Multics.  No  clear 
text  listing  of  passwords  exists  anywhere  in  the  system. 

The  PNT  is  further  protected  from  unauthorized  access  by  the 
contents  of  its  Access  Control  List  (ACL) . 

The  one-way  cipher  scheme  used  in  Multics  is  called 
scramble__.  A PL/1  listing  of  the  routine  appears  in 
Append ix~A. 

The  Multics  scrambler  works  by  first  compressing  the  8 
Multics -ASCI I character  password  from  72  to  56  bits  by 
removing  the  high-order  two  bits  (always  zero  in  the  9 bit 
Multics  representation  of  7 bit  ASCII  characters)  from  each 
character.  If  the  password  is  less  than  8 characters  in 
length,  blanks  were  added  to  make  it  8 characters  long.  The 
resulting  compressed  password,  called  p,  is  then  multiplied 
by  its  own  low-order  16  bits,  then  reduced  modulo  10**19-1. 

The  notation 

(1)  R = mod(D,  C)  means 

(2)  D * C*Q+R 

with 

(3)  0 < R < C 

and  C,  D,  Q,  and  R are  all  non-negative  integers.  Define 

(4)  a = mod (p,  2**16) 

Then  the  compressed  password  conversion  to  r,  the  number 
stored  in  the  PNT,  is  given  by 

(5)  r * mod(p*a,  10**19-1) 

Two  attacks  on  this  "non-inver tible"  function  were 
developed.  These  are  discussed  below. 
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SECTION  II 

TRAILING  BLANKS  ATTACK 


If  it  is  assumed  that  most  passwords  are  less  than  or 
equal  to  6 non  blank  characters  in  length  (the  human 
lassitude  hypothesis) , they  can  be  brute  force  decrypted 
very  rapidly. 

Scramble_  left  justifies  the  ASCII  input  characters  in 
the  8 character  field  before  encryption.  As  a result,  a 
password  whose  length  is  less  than  or  equal  to  6 characters 
contains  trailing  blanks  (octal  040)  which  when  compressed 
create  a p of  the  form: 

p=b ( 56) , b ( 55) , b ( 54) b(18),  b(17),  XX  0100000  0100000 

where  the  b(i)  denotes  arbitrary  bits  and  each  X can  be 
either  0 or  1.  On  inspection  there  are  only  four  possible 
lower  16  bit  patterns: 

a ( 1)  = 00  0100000  0100000 

a ( 2)  * 01  0100000  0100000 

a ( 3)  = 10  0100000  0100000 

a ( 4)  =*  11  0100000  0100000 

From  (2)  we  observe,  where  Q is  the  integer  part  of 

D/C, 

(6)  Q * floor (D/C) . 

Letting  c * 10**19-1,  from  (5)  we  have  r * mod(p*a,  c)  . 

Applying  (1)  and  (2)  we  obtain 

(7)  p*a  * c*q+r,  where  q is  a non-negative 

integer . 

In  the  special  case  of  trailing  blanks,  we  are 
attempting  to  find  d in  (7),  given  r (the  encrypted  value  of 
p from  the  PNT) , c (10**19-1),  and  the  only  four  possible 
values  of  a.  In  attempting  a brute  force  decryption  by 
trying  all  possible  values  of  q for  each  of  the  possible 
values  of  a,  the  only  deterrent  is  the  maximum  value  q can 
obtain  from  (7).  The  maximum  value  of  q determines  the 
maximum  number  of  trials  that  would  be  required. 
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We  can  determine  the  maximum  value  of  q by  noting  that 

(8)  q = (p*a-r )/c  < p*a/c 
By  definition  of  a,  we  have 

(9)  a < 2**16 
Similarly,  we  have 

(10)  p < 2**56  and 

(11)  c < 2**64  (i.e.  10**19  < 2**64) 

then 


(12)  p*a/c  < (2**16)  (2**56)/2**64 

< 2**72/2**64 

< 2**8 

The  significance  of  this  result  is  that  a is  so  small 
that  only  a little  over  250  trials  are  required  to  determine 
P* 

A brute-force  algorithm  unscr  (r,  a,  p)  was  created 
which  finds  a valid  password,  p,  which  corresponds  to  the 
encrypted  value,  r,  provided  a = low  order  16  bits  of  p. 
Figure  1 is  a flowchart  for  unscr.  (A  listing  for  unscr 
appears  in  Appendix  B) . The  unscr  subroutine  was  applied  to 
a PNT  which  contained  1082  entries.  Unscr  either  printed  a 
recovered  password,  or  reported  a failure  (passwords  > 6 
characters  long).  Figure  2 depicts  the  cost  in  CPU  time  of 
this  program  on  the  1082  entries.  Sixty-two  percent  of  all 
of  the  passwords  on  the  MIT  Multics  system  were  thus 
obtained  with  little  effort.  The  figure  shows  the  cost  in 
CPU  time  to  recover  short  passwords  was  minimal. 
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FIGURE  2.  Cost  in  CPU  time  to  either  successfully 
invert  a password  or  to  report  a failure 


SUCCESSES  ALGORITHMS  UNSCR 


SECTION  III 
GENERAL  SOLUTION 


Having  developed  a solution  for  a special  case,  it  was 
of  some  interest  to  determine  whether  or  not  a general 
solution  could  be  obtained.  Such  a solution  was  found;  it 
was  based  on  the  observation  that  the  low  order  16  bits  of 
p*a  (the  immediately  transformed  password  (56  bits))  are 
identical  to  a*a. 

Call  the  low  order  16  bits  of  p*a,  d.  Then, 

(13)  d = mod (p*a , 2**16) 

Let  p = x*(2**16)  + a,  where  x is  an  integer.  Then, 

(14)  d = mod ( (x*2**16  + a)*a,  2**16) 

= mod (x*a*2**16 , 2**16)  + mod(a*a,  2**16) 

= 0 + mod(a*a,  2**16) 

» mod  (a*a , 2**16) 

Let  the  function  mod(a*a,  2**16)  = g(a).  Then  let  h(d) 
denote  the  inverse  of  the  function  g.  That  is,  h(d)  denotes 
the  list  of  all  of  a,  (a  £ 2**16),  with  g(a)  * d. 

The  general  decryption  algorithm  was  called  better. 
Better  first  generates  a two-part  table.  Part  I contains 
possible  values  of  d and  a pointer.  The  pointer  is  either  a 
null  pointer  (if  h(d)  is  empty),  or  it  is  a pointer  to  a 
value  of  h(d)  in  part  2 of  the  table. 

The  interesting  aspect  of  h(d)  is  the  fact  that  it  is 
quite  sparse;  consequently  it  has  the  potential  for  rapidly 
discriminating  whether  or  not  a hypothesized  inversion  (of  a 
password)  is  correct. 

To  illustrate  what  is  meant  by  h(d)  being  sparse,  consider 
an  example  in  base  10: 

a g(a)  (mod  10) 


0 0 

1 1 

2 4 

3 9 

4 6 


g(a)  (mod  10) 


5 

6 

7 

8 
9 


5 

6 
9 
4 
1 
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Then 

h (d ) is  given  by : 

d 

h (d) 

d 

h (d ) 

0 

0 

5 

0 

1 

1,9 

6 

4,6 

2 

null 

7 

null 

3 

null 

8 

null 

4 

2,8 

9 

3,7 

In  this  simple  example. 

only  six 

out  of  ten  possible  values 

of  d would  need  to  be  considered  further  in  an  attempt  to 
unscramble  a password. 

Figure  3 is  a flowchart  for  better.  A listing  of  better  is 
in  Appendix  C. 

The  procedure  better  was  run  on  a PNT  of  1085  names. 
The  following  CPU  run  times  were  recorded. 

Table  generation  200  sec 

Inverting  Passwords  148  sec 


Total  Time  348  sec 

Cost/Password  0.32  sec 

Note  that  the  cost  figure  is  comparable  to  that  for  the 
special  case  decryption  based  on  trailing  blanks.  On  a 
larger  PNT,  the  average  cost  would  be  less  since  the  cost  of 
the  d and  h(d)  table  generation  is  constant. 
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SECTION  IV 
BUGS 


As  an  aside,  it  may  be  of  interest  to  note  that  in 
developing  the  general  solution  outlined  above,  it  was 
discovered  that  bugs  existed  in  both  the  mod  and  multiply 
functions  in  Multics  for  double  precision  integers.  Because 
of  limitations  in  the  Honeywell  645  hardware  instruction 
set,  these  functions  were  implemented  in  software.  This 
caused  the  decryption  project  a few  man  days  of  effort  to 
diagnose  what  was  really  happening  and  required  special  code 
(that  exactly  reproduced  the  errors)  to  handle  the  bugs 
introduced  by  these  functions  in  the  original  scrambling 
function. 

It  turned  out  that  the  unscrambling  routine  which  was 
developed  was  put  to  use  when  the  bugs  were  fixed.  Simply 
fixing  the  bugs  would  present  a problem  since  after  the  bugs 
were  fixed,  users  logging  in  would  have  their  passwords 
scrambled  to  new  values  which  would  not  agree  with  the 
values  listed  in  the  PNT.  This  would  happen  because  the  PNT 
was  created  using  the  incorrect  mod  and  multiply  functions. 
The  users  would  therefore  be  denied  permission  to  log  in. 
Because  no  clear  text  listing  of  the  passwords  existed,  the 
unscramble  routine  was  used  to  obtain  a listing  of  all  user 
passwords  when  the  bugs  were  fixed.  This  listing  was  then 
converted  into  a new  PNT  using  a new  encryption  routine. 
Appendix  D is  a listing  of  the  new  encryption  routine.  If 
scramble^  had  been  truly  non-inver tible , it  would  not  have 
been  possible  to  generate  a new  PNT  in  this  fashion. 


SECTION  V 
CONCLUSION 


Password  encryption  is  not  a fundamental  requirement 
for  providing  security  in  a computer  system.  As  discussed 
previously,  if  a penetrator  is  able  to  access  the  password 
file  in  a computer,  he  is  most  likely  able  to  access  any 
other  file  in  that  system  as  well,  and  the  knowledge  of 
users'  passwords  would  be  of  little  value  to  him. 

In  addition,  it  is  generally  unnecessary  to  access  a 
password  file  from  the  system  in  order  to  obtain  a user's 
password.  Obtaining  a user's  password  may  be  as  simple  as 
copying  it  from  some  place  where  the  user  has  written  it. 
Even  if  the  password  is  not  written  down,  it  has  been  found 
that  passwords  can  often  be  easily  guessed  if  the  users  are 
permitted  to  pick  their  own  passwords. 

To  demonstrate  how  easy  it  is  to  guess  a user's 
password,  the  Multics  password  list  obtained  from  the 
decryption  effort  was  sampled.  The  following  approximate 
percentages  of  "easily  guessed"  passwords  were  observed: 


Total 

Passwords  Sampled: 

325 

Directly  Associable 

100 

- (31%) 

Common 

English  Words 

50 

- (15%) 

Short 

(3  letters  or  less) 

20 

- (6%) 

Total 

Easily  Guessed: 

170 

(52%) 

The  category  of  passwords  directly  associable  with  the 
person  covered  two  types  of  associations.  Names,  both 
personal  and  project,  were  one  type  used  to  provide 
associable  passwords.  These  passwords  consisted  of 
initials,  first  names,  reversed  spelling,  friend's  names, 
etc.  Numbers,  such  as  telephone  numbers  and  social  security 
numbers,  were  the  second  type  used  as  directly  associable 
passwords.  Combinations  of  associable  names  and  numbers 
were  also  observed. 

Based  on  this  quick  analysis,  the  conclusion  is  that  if 
users  are  permitted  to  provide  their  own  passwords,  the  work 
required  to  "guess"  a password  is  highly  likely  to  be 
minimal . 

Not  letting  users  pick  their  own  passwords  is  one  way 
to  minimize  the  possibility  of  having  a user's  password 
compromised.  <GAS75>  describes  an  algorithm  for  generating 
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random  pronounceable  passwords.  By  generating  pronounceable 
passwords,  the  algorithm  produces  a password  the  user  is 
more  likely  to  remember,  thus  minimizing  the  need  for  the 
user  to  write  it  down. 

Another  technique  using  one-time  passwords  is  described 
in  <RIC73>.  Under  this  scheme,  a user's  password  is  changed 
every  time  the  user  logs  into  the  system.  In  this  way, 
obtaining  a user's  password  is  of  less  value  since  it  may 
have  been  changed  before  the  penetrator  attempts  to  log  on. 
It  also  serves  to  alert  a user  if  his  password  has  been 
compromised . 

Despite  these  drawbacks,  use  of  a properly  constructed 
one-way  enciphering  algorithm  can  provide  a measure  of 
additional  security  to  a system  at  very  little  cost.  It  can 
provide  security  against  anyone  obtaining  a password  list 
through  an  accidental  dump  of  the  system  files,  for  example. 
It  will  also  discourage  a system  administrator  from  thinking 
that  in  order  to  be  responsible  to  his  duties,  he  needs  to 
keep  a listing  of  passwords  in  his  office. 

The  development  of  an  "irreversible"  cipher 
transformation  for  encrypting  passwords  is  harder  than  it 
would  appear  at  first.  The  Multics  algorithm  appears  to 
have  been  selected  in  an  ad  hoc  fashion.  Even  so,  to  the 
casual  observer,  it  would  at  first  glance  appear  to  be  quite 
difficult  to  invert. 

It  is  interesting  to  observe  the  two  approaches 
embodied  in  <EVA74>  and  <PUR74>;  one  which  creates  complex 
ad  hoc  algorithms,  the  behavior  of  which  are  not  known,  the 
other  which  adopts  an  analytical  approach  to  the  design  of 
the  algorithm  and  computes  the  probability  of  successful 
attack  under  stated  assumptions  regarding  what  is  known  or 
assumed  available  to  the  attacker. 

For  future  developments  in  this  area,  one  or  more  of 
the  functions  discussed  by  Evans  appears  more  promising  than 
the  function  which  had  been  used  on  Multics.  ESD/MCI  has 
provided  an  improved  password  scrambler  that  is  now  used  in 
Multics  although  the  "non-invertibility"  of  it  is  not 
guaranteed.  This  routine  is  also  used  in  Multics  to  encrypt 
and  decrypt  files.  The  basic  encryption  algorithm  is 
contained  in  Appendix  D. 
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APPENDIX  A 

Password  Scramble  Listing 


This  appendix  contains  the  listing  of  "scramble  the 
program  used  on  Multics  at  the  time  of  the  ESD  securTty 
study  to  encipher  user  passwords.  This  routine  was  invoked 
at  every  user  login  attempt.  It  enciphered  the  password 
typed  at  the  terminal  for  comparison  with  the  version  of  the 
password  stored  in  the  Person  Name  Table.  As  a result  of 
the  ESD  security  analysis,  an  improved  password  enciphering 
algorithm  is  now  in  use  on  Multics.  This  improved  algorithm 
is  listed  in  Appendix  D. 
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APPENDIX  B 

Unscrambling  Listing  for  Short  Passwords 


« 


This  appendix  contains  the  listing  of  "unscr,"  the 
unscrambling  routine  used  to  invert  enciphered  passwords  o-f 
less  than  or  equal  to  six  characters.  This  routine  is 
discussed  in  section  II.  When  unscr  is  applied  to  a 
password  that  has  been  enciphered  by  scramble  , it  will 
either  return  a recovered  password,  or  it  wilT  report  a 
failure  if  the  password  is  more  than  six  characters  long. 
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APPENDIX  C 

General  Unscrambling  Listing  for  All  Passwords 


vs? 


This  appendix  contains  the  listing  of  "better",  the 
routine  which  was  used  to  successfully  invert  all  passwords 
in  the  Person  Name  Table.  The  nature  of  the  general 
solution  is  discussed  in  section  III. 
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APPENDIX  D 

Improved  Password  Scrambling  Listing  and  Documentation 


This  appendix  contains  the  listing  of  "encipher_",  the  improved 
password  scrambling  algorithm  which  was  implemented  on  Multics  following 
the  ESD  security  analysis.  This  program  is  also  used  to  encrypt  and 
decrypt  files  in  Multics  using  the  standard  Multics  commands  "encode" 
and  "decode". 

The  algorithm  generates  a new  key  word  by  forming  a function 
selection  word  from  the  last  ciphertext  word  (or  initial  key  at  the 
start),  then  using  the  last  ciphertext  word  as  a fill,  generates  a new 
key  word  according  to  bits  0-4  of  the  function  selection  word  as  shown 
in  the  table  below.  The  notation  used  in  the  table  is: 

IS  rotate  function  (circular  shift  the  value  on  the 
right  by  the  amount  on  the  left) 

«■  addition 
8 exclusive  OR 

The  expressions  are  evaluated  from  right  to  left  with  parenthetic 
grouping  having  its  normal  meaning.  As  an  example,  the  expression  M5  ♦ 
A5  (D  (M4  8 M3  ♦ A3  fl  (M2  8 Ml  + AI  (DC))  would  be  evaluated  as 


a) 

Rotate  C by  the 

amount  Ai 

b) 

Add  Ml 

c) 

Exclusive  OR  M2 

d) 

Rotate  the  value 

obtained 

thus 

far  by 

the 

amount 

A3 

e) 

Add  M3 

f) 

Exclusive  OR  M4 

s) 

Rotate  the  value 

obtained 

thus 

far  by 

the 

amount 

A5 

h) 

Add  M5 

The  values  of  Ml,  ...,  M7  and  Ai,  ...,  A7  are  offsets  in  the  register 
containing  the  key.  The  contents  of  this  register  are  obtained  by 
applying  a Tausworth  pseudo-random  number  generator  (1)  to  the  input  key 
value.  The  value  of  C is  the  word  that  is  to  be  enciphered. 

Figure  4 is  a flowchart  for  the  portion  of  encipher_  that  actually 
performs  the  enciphering  of  a word. 


(1)  Whittleself,  John  R.B.,  "A  Comparison  of  the  Correlation  Behavior  of 
Random  Number  Generators  for  the  IBM  360" » Communications  of  the  ACM, 

Vol  11,  No.  9,  September  1968. 


BITS  0-4  OF 
FUNCTION  SELECT 
(bits  numbered 
4.  3.  2.  1) 


Function  Select  = 0-4  of  M7  « A7  ID  (M6  + A6  <D  C(i-O) 


M5  + A5  0 (M4  9 A4  ID  (M3  ♦ A3  (D  (M2  9 A2  0 (Ml  ♦ A1  0 C) ) ) ) 
M5  + M4  9 A4  0 (M3  + A3  0 (M2  ® A2  0 (Ml  ♦ A1  ffl  C))) 

M5  + A5  0 (M4  « M3  + A3  01  (M2  9 A2  0 (Ml  + A1  01  C))) 

M5  + M4  9 M3  ♦ A3  0 (M2  9 A2  0 (Ml  + A1  0 C)) 

M5  + A5  0 (M4  9 A4  ID  (M3  M2  9 A2  0)  (Ml  + A1  <D  C))) 

M5  + M4  9 A4  0 (M3  ♦ M2  9 A2  0 (Ml  ♦ A1  0 C)) 

M5  ♦ A5  0 (M4  9 M3  + M2  9 A2  0 (Ml  + A1  0 C)) 

M5  + M4  ® M3  ♦ M2  9 A2  0 (Ml  ♦ A1  0 C) 

M5  + A5  0 (M4  9 A4  0 (M3  ♦ A3  0 (M2  9 Ml  + A1  0 C))) 

M5  + M4  9 A4  0 (M3  + A3  0 (M2  9 Ml  + A1  0 C) ) 

M5  + A5  0 (M4  9 M3  ♦ A3  0 (M2  9 Ml  ♦ A1  0 O) 

M5  + M4  9 M3  A3  0 (M2  9 Ml  «■  A1  0 C) 

M5  ♦ A5  0 (M4  9 A4  0 (M3  ♦ M2  9 Ml  ♦ A1  0 C) ) 

M5  + M4  9 A4  0 (M3  + M2  9 Ml  + A1  0 C) 

M5  + A5  0 (M4  9 M3  + M2  9 Ml  + AH  C) 

M5  + M4  ® M3  + M2  9 Ml  + A1  0 C 
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First  coapute  select  function 


CNJKV  SEQUENCES 


NAHE  DEFINITIONS  FOR  ENTRY  POINTS  AND  SEGOEFS 


SYM80L  TABLE  HE  AUER 


^ s ^aaaooMaj^w*iaowQ^o(NJHOuifl  woaoaoiMtNivDN  noa,90Qooai4«4«4> 
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O*4*4O*4»»*4.r*4OOOOOOOOOOO*4*4*4O*4*«OO*4*4*4OOOOOO*4*4*4*4O*4*4OOOOOOOOOOO<0 


OHMaoNO*4^o^^^N^oao<A4<f^N«on«NKa>«^^aaooin*4^i0N)ON(MooaeooooooN4 
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HULIICS  ASSEMBLY  CROSS  REEERE  MCE  LISTING 


MISSION 
OF  THE 

DIRECTORATE  OF  COMPUTER  SYSTEMS  ENGINEERING 


The  Directorate  of  Computer  Systems  Engineering 
provides  ESD  with  technical  services  on  matters 
involving  computer  technology  to  help  ESD  system 
development  and  acquisition  offices  exploit  computer 
technology  through  engineering  application  to  enhance 
Air  Force  systems  and  to  develop  guidance  to  minimise 
R&D  and  investment  costs  in  the  application  of  computer 
technology. 

The  Directorate  of  Computer  Systems  Engineering 
also  supports  AFSC  to  insure  the  transfer  of  computer 
technology  and  information  throughout  the  Command, 
including  maintaining  an  overview  of  all  matters  pertain- 
ing to  the  development,  acquisition,  and  use  of  computer 
resources  in  systems  in  all  Divisions,  Centers  and 
Laboratories  and  providing  AFSC  with  a corporate 
memory  for  all  problems /solutions  and  developing 
recommendations  for  RDTfeE  programs  and  changes  in 
management  policies  to  insure  such  problems  do  sot 
reoccur. 
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